Merge pull request #34 from fugue/improved-waivers

Improved waivers

Makefile

@@ -1,7 +1,7 @@
 TEST?=$$(go list ./... | grep -v 'vendor')
 NAME=fugue/fugue
 BINARY=terraform-provider-fugue
-VERSION=0.0.5
+VERSION=0.0.6
 OS_ARCH=darwin_amd64
 
 default: install
@@ -34,6 +34,8 @@ test:
 testacc: 
 	TF_ACC=1 go test $(TEST) -v $(TESTARGS) -timeout 120m
 
+# Uses tfplugindocs from https://github.com/hashicorp/terraform-plugin-docs
+# Version v0.4.0
 .PHONY: docs
 docs:
 	tfplugindocs

docs/resources/aws_environment.md

@@ -22,11 +22,11 @@ data "fugue_aws_types" "all" {
 }
 
 resource "fugue_aws_environment" "example" {
-  name = "example"
-  role_arn = var.role_arn
-  regions = ["*"]
+  name                = "example"
+  role_arn            = var.role_arn
+  regions             = ["*"]
   compliance_families = ["CIS-AWS_v1.3.0", "CIS-Docker_v1.2.0"]
-  resource_types = data.fugue_aws_types.all.types
+  resource_types      = data.fugue_aws_types.all.types
 }
 ```
 

docs/resources/rule.md

@@ -14,12 +14,12 @@ description: |-
 
 ```terraform
 resource "fugue_rule" "rule1" {
-  name = "RDS example rule"
-  description = "RDS instances should not be set as publicly accessible."
+  name           = "RDS example rule"
+  description    = "RDS instances should not be set as publicly accessible."
   cloud_provider = "AWS"
-  severity = "High"
-  resource_type = "AWS.RDS.Instance"
-  rule_text = <<EOF
+  severity       = "High"
+  resource_type  = "AWS.RDS.Instance"
+  rule_text      = <<EOF
 default allow = false
 
 allow {

docs/resources/rule_waiver.md

@@ -14,13 +14,24 @@ description: |-
 
 ```terraform
 resource "fugue_rule_waiver" "example" {
-  name = "waive-FG_R00229"
-  comment = "This S3 bucket is intentionally public"
-  environment_id = fugue_aws_environment.test.id
-  rule_id = "FG_R00229"
-  resource_type = "AWS.S3.Bucket"
+  name              = "waive-FG_R00229"
+  comment           = "This S3 bucket is intentionally public"
+  environment_id    = fugue_aws_environment.test.id
+  rule_id           = "FG_R00229"
+  resource_type     = "AWS.S3.Bucket"
   resource_provider = "aws.us-east-1"
-  resource_id = "my-public-s3-bucket"
+  resource_id       = "my-public-s3-bucket"
+}
+
+resource "fugue_rule_waiver" "tag_example" {
+  name              = "waive-FG_R00357"
+  comment           = "Ignore network ACL issues in development"
+  environment_id    = fugue_aws_environment.test.id
+  rule_id           = "FG_R00357"
+  resource_type     = "*"
+  resource_provider = "*"
+  resource_id       = "*"
+  resource_tag      = "Environment:dev"
 }
 ```
 
@@ -37,6 +48,10 @@ resource "fugue_rule_waiver" "example" {
 - **resource_type** (String) The type string of the resource, such as `AWS.S3.Bucket`.
 - **rule_id** (String) The ID of the rule to be waived, such as `FG_R00229`.
 
+### Optional
+
+- **resource_tag** (String) A resource tag to match on, such as `Team:Engineering`.
+
 ### Read-Only
 
 - **id** (String) The unique ID for this waiver as generated by Fugue.

examples/main.tf

@@ -31,11 +31,11 @@ output "aws_env_id" {
 
 # Waives "IAM root user access key should not exist" as an example
 resource "fugue_rule_waiver" "waiver1" {
-  name = "waive-FG_R00004"
-  comment = "This is an example waiver!"
-  environment_id = fugue_aws_environment.test.id
-  rule_id = "FG_R00004"
-  resource_type = "AWS.IAM.CredentialReport"
+  name              = "waive-FG_R00004"
+  comment           = "This is an example waiver!"
+  environment_id    = fugue_aws_environment.test.id
+  rule_id           = "FG_R00004"
+  resource_type     = "AWS.IAM.CredentialReport"
   resource_provider = "*"
-  resource_id = "*"
+  resource_id       = "*"
 }

examples/resources/fugue_aws_environment/resource.tf

@@ -8,9 +8,9 @@ data "fugue_aws_types" "all" {
 }
 
 resource "fugue_aws_environment" "example" {
-  name = "example"
-  role_arn = var.role_arn
-  regions = ["*"]
+  name                = "example"
+  role_arn            = var.role_arn
+  regions             = ["*"]
   compliance_families = ["CIS-AWS_v1.3.0", "CIS-Docker_v1.2.0"]
-  resource_types = data.fugue_aws_types.all.types
+  resource_types      = data.fugue_aws_types.all.types
 }

examples/resources/fugue_rule/resource.tf

@@ -1,11 +1,11 @@
 
 resource "fugue_rule" "rule1" {
-  name = "RDS example rule"
-  description = "RDS instances should not be set as publicly accessible."
+  name           = "RDS example rule"
+  description    = "RDS instances should not be set as publicly accessible."
   cloud_provider = "AWS"
-  severity = "High"
-  resource_type = "AWS.RDS.Instance"
-  rule_text = <<EOF
+  severity       = "High"
+  resource_type  = "AWS.RDS.Instance"
+  rule_text      = <<EOF
 default allow = false
 
 allow {

examples/resources/fugue_rule_waiver/resource.tf

@@ -1,10 +1,21 @@
 
 resource "fugue_rule_waiver" "example" {
-  name = "waive-FG_R00229"
-  comment = "This S3 bucket is intentionally public"
-  environment_id = fugue_aws_environment.test.id
-  rule_id = "FG_R00229"
-  resource_type = "AWS.S3.Bucket"
+  name              = "waive-FG_R00229"
+  comment           = "This S3 bucket is intentionally public"
+  environment_id    = fugue_aws_environment.test.id
+  rule_id           = "FG_R00229"
+  resource_type     = "AWS.S3.Bucket"
   resource_provider = "aws.us-east-1"
-  resource_id = "my-public-s3-bucket"
+  resource_id       = "my-public-s3-bucket"
+}
+
+resource "fugue_rule_waiver" "tag_example" {
+  name              = "waive-FG_R00357"
+  comment           = "Ignore network ACL issues in development"
+  environment_id    = fugue_aws_environment.test.id
+  rule_id           = "FG_R00357"
+  resource_type     = "*"
+  resource_provider = "*"
+  resource_id       = "*"
+  resource_tag      = "Environment:dev"
 }

fugue/resource_rule_waiver.go

@@ -67,6 +67,12 @@ func resourceRuleWaiver() *schema.Resource {
 				Required:    true,
 				ForceNew:    true,
 			},
+			"resource_tag": {
+				Description: "A resource tag to match on, such as `Team:Engineering`.",
+				Type:        schema.TypeString,
+				Optional:    true,
+				ForceNew:    true,
+			},
 		},
 	}
 }
@@ -84,6 +90,11 @@ func resourceRuleWaiverCreate(ctx context.Context, d *schema.ResourceData, m int
 	resourceType := d.Get("resource_type").(string)
 	resourceID := d.Get("resource_id").(string)
 
+	var resourceTag string
+	if resourceTagSetting, ok := d.GetOk("resource_tag"); ok {
+		resourceTag = resourceTagSetting.(string)
+	}
+
 	validRule, err := isValidRuleID(client, ruleID)
 	if err != nil {
 		return diag.FromErr(err)
@@ -106,6 +117,7 @@ func resourceRuleWaiverCreate(ctx context.Context, d *schema.ResourceData, m int
 		ResourceProvider: &resourceProvider,
 		ResourceType:     &resourceType,
 		ResourceID:       &resourceID,
+		ResourceTag:      resourceTag,
 	}
 
 	var waiverID string
@@ -184,6 +196,11 @@ func resourceRuleWaiverRead(ctx context.Context, d *schema.ResourceData, m inter
 	if err := d.Set("rule_id", waiver.RuleID); err != nil {
 		return diag.FromErr(err)
 	}
+	if waiver.ResourceTag != nil {
+		if err := d.Set("resource_tag", waiver.ResourceTag); err != nil {
+			return diag.FromErr(err)
+		}
+	}
 
 	return diags
 }

go.mod

@@ -3,9 +3,18 @@ module terraform-provider-fugue
 go 1.14
 
 require (
-	github.com/fugue/fugue-client v0.13.1
-	github.com/go-openapi/runtime v0.19.0
-	github.com/go-openapi/strfmt v0.19.0
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
+	github.com/fugue/fugue-client v0.14.0
+	github.com/go-openapi/analysis v0.20.1 // indirect
+	github.com/go-openapi/errors v0.20.0 // indirect
+	github.com/go-openapi/runtime v0.19.28
+	github.com/go-openapi/strfmt v0.20.1
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/go-openapi/validate v0.20.2 // indirect
 	github.com/hashicorp/terraform-plugin-docs v0.2.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.3.0
+	github.com/mailru/easyjson v0.7.7 // indirect
+	go.mongodb.org/mongo-driver v1.5.2 // indirect
+	golang.org/x/net v0.0.0-20210525063256-abc453219eb5 // indirect
+	golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea // indirect
 )